Hello Ralf,
thank you very much for your help! :) In the first place it didn't work and I was sure you have tested the functionality, so I checked what I may have configured differently/wrong. So I checked my list of supportedControls which are presented to the clients:
ldapsearch -x -b "" -s base supportedControl
before: supportedControl: 1.3.6.1.4.1.4203.1.9.1.1 supportedControl: 2.16.840.1.113730.3.4.9 supportedControl: 1.2.840.113556.1.4.473 supportedControl: 1.3.6.1.4.1.4203.666.5.16 supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 1.3.6.1.4.1.4203.1.10.1 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.826.0.1.3344810.2.3 supportedControl: 1.3.6.1.1.13.2 supportedControl: 1.3.6.1.1.13.1 supportedControl: 1.3.6.1.1.12
This shows the list of supportedControls and the denied Controls were still visible.
To make it work I had to put olcAccess: {1}to dn.base="" by * read further down to olcAccess: {3}to dn.base="" by * read below the two denied Controls.
after: supportedControl: 1.3.6.1.4.1.4203.1.9.1.1 supportedControl: 1.3.6.1.4.1.4203.666.5.16 supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 1.3.6.1.4.1.4203.1.10.1 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.826.0.1.3344810.2.3 supportedControl: 1.3.6.1.1.13.2 supportedControl: 1.3.6.1.1.13.1 supportedControl: 1.3.6.1.1.12
After that the supportedControls weren't visible anymore when requesting the list.
Finally, my working frontend:
dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to dn.base="cn=subschema" by * read olcAccess: {1} to dn.base="" attrs=supportedControl val/objectIdentifierMatc h=1.2.840.113556.1.4.473 by * none olcAccess: {2} to dn.base="" attrs=supportedControl val/objectIdentifierMatc h=2.16.840.1.113730.3.4.9 by * none olcAccess: {3}to dn.base="" by * read olcAccess: {4}to attrs=userPassword,userPKCS12 by self write by * auth olcAccess: {5}to attrs=shadowLastChange by self write by * read olcAccess: {6}to * by * read olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 0 olcMonitoring: FALSE olcReadOnly: FALSE olcSchemaDN: cn=Subschema olcSyncUseSubentry: FALSE
Now requesting passwd/group/sudoers/etc with the Solaris 10 native client works like a charm, to me its like "less is more". :)
Thanks to all of you who tried to help and fix the problem, especially Ralf and Dieter.
Have a nice day, Benjamin.
On Wed, Nov 3, 2010 at 12:07, Ralf Haferkamp rhafer@suse.de wrote:
Am Mittwoch 03 November 2010, 09:52:26 schrieb Benjamin Griese:
Hello Ralf,
[..]
In the meantime I set the ACL, but unfortunatly it didn't help solving the problem, you may take a look at my example:
DN: olcDatabase={1}hdb,cn=config olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=ldapadm,dc=example,dc=de" write by dn="cn=proxyuser,ou=system,ou=people,dc=example,dc=de" read by anonymous auth by self write by * none olcAccess: {1} to dn.base="" attrs=supportedControl val/objectIdentifierMatch=1.2.840.113556.1.4.473 by * none olcAccess: {2} to dn.base="" attrs=supportedControl val/objectIdentifierMatch=2.16.840.1.113730.3.4.9 by * none olcAccess: {3}to dn.base="" by * read olcAccess: {4}to * by dn="cn=ldapadm,dc=example,dc=de" write by * read
If I remember right {4} is not opening up the access when it is explicitly denied in the ACLs {1} & {2}, am I right?
Yes, you are right.
But I'm not sure if this is the right place for this kind of ACL, cn=config instead should be wrong too I guess.
It has to be in the global ACL, i.e. you have to add it to olcDatabase={-1}frontend,cn=config.
Bye, Benjamin.
[..]
Ralf
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
openldap-technical@openldap.org
-
Benjamin Griese